Windows HELL

Dante was wrong, the first circle of hell isn't limbo… it's Windows!

A sample 802.1X configuration guide

Due to the complexity of 802.1X configuration, there is a lot of documentation out there. Unfortunately, due to the complexity of 802.1X, there are very few step-by-step guides on actually setting a system up to use it. This is merely a crib sheet that I use to create a nominal 802.1X configuration. This setup uses computer certificates only, with users logging in with passwords (not smart cards). The servers are Enterprise 2008 R2, and the clients are Windows XP SP3 and Windows 7.  Network gear consisted of Cisco 3750 and 2960 switches running IOS 12.2(52).  Note that you have to have a K9 version of the IOS, otherwise the security features are not available.  These instructions may or may not work if you are on different server/client versions.  I know there are NPS client limitations on the Standard server version and that you cannot create custom certificates on Standard either.  So Enterprise or better is required for your servers.  Hopefully, someone out there will find this helpful. As there are many, many, many ways to configure this stuff, you may need to adjust it for your needs. I cannot profess that I am an expert by any means, but if you have a question about something in (or not in) this checklist, please leave a comment.

Configuration of 802.1X is a multi-step process. Reference: http://technet.microsoft.com/en-us/library/cc753354(WS.10).aspx. Intel vPro AMT, if used, should be configured and operational prior to running this procedure.

  1. Certificate Services
    This procedure assumes that an Enterprise CA has been previously installed and that client certificates have been provisioned to all workstations in the enterprise via Group Policy. Additionally, your primary site servers have been added into an AD security group called ‘SCCM Primary Site Servers’
    1. In this step, we will create and deploy the NPS certificate template.
      1. On the certification authority server, start the Certification Authority MMC snap-in
      2. Expand the CA node.
      3. In the console tree, right-click Certificate Templates. Select the Manage option. The Certificate Templates console will appear. Note the Domain Controller that the Console is connected to.
      4. In the details pane, click the RAS and IAS Server template.
      5. On the Action menu, click Duplicate Template. In the Duplicate Template dialog box, select the Windows Server 2003, Enterprise Edition template version.
      6. Click OK. The Properties dialog box for the certificate template opens.
      7. On the General tab, in Display Name, type a name for the new certificate template.
      8. Click the Security tab. In Group or user names, click RAS and IAS servers.
      9. In Permissions for RAS and IAS servers, under Allow, select the Enroll and Autoenroll permission check boxes, and then click OK.
      10. Close the Certificate Templates Console.
      11. Force replication across Domain Controllers using Active Directory Sites and Services. Begin replication from the server noted earlier.
      12. In the Certification Authority Console, right-click the Certificate Templates node. On the Action menu, point to New, and then click Certificate Template to Issue.
      13. Select the template that was just created, and then click OK.
    2. (If using Intel AMT, otherwise go to next section). Here, we will create the Client Authentication certificates for 802.1X AMT-Based computers. This is separate from the normal client certificates issued by the domain.
      1. In the console tree, right-click Certificate Templates. Select the Manage option. The Certificate Templates console will appear. Note the Domain Controller that the Console is connected to.
      2. In the details pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template. In the Duplicate Template dialog box, select the Windows Server 2003, Enterprise Edition template version.
      3. Click OK. The Properties dialog box for the certificate template opens.
      4. On the General tab, in Display Name, type a name like ‘AMT 802.1X Client Authentication’.
      5. Click the Subject Name tab, and then click Supply in the request. Click OK in the warning dialog box for this setting.
      6. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.
      7. Click Add, and add SCCM Primary Site Servers.
      8. Select the following Allow permissions for this group: Read and Enroll.
      9. Close the Certificate Templates Console.
      10. Force replication across Domain Controllers using Active Directory Sites and Services. Begin replication from the server noted earlier.
      11. In the Certification Authority Console, right-click the Certificate Templates node. On the Action menu, point to New, and then click Certificate Template to Issue.
      12. Click AMT client template, and then click OK.
  2. NPS server
    1. Ensure that the NPS server is a member of the ‘RAS and IAS Server’ group in Active Directory.
    2. Restart the server so it can autoenroll the newly assigned server certificate. If the certificate does not autoenroll, open a Certificates MMC session on the server and manually enroll the machine.
    3. Open the Server Manager Console and expand the tree to Roles | Network Policy and Access Services | NPS (local) | Policies | Connection Request Policies. Create a new Connection Request Policy. Name the new policy ‘Secure (Wired) Ethernet Connections’. Leave the type of network access server as Unspecified. Click Next.
    4. Add a new condition: NAS Port Type. In the popup, under Common 802.1X connection tunnel types, select Ethernet. Click OK, then Next.
    5. On the Specifiy Connection Request Forwarding, ensure ‘Authenticate requests on this server’ is ticked and click Next.
    6. Continue clicking Next until the Finish option appears, then click Finish.
    7. Verify the new policy is enabled and listed as Processing Order 1.
    8. In the tree, select ‘Network Policies’ and create a new network policy name ‘Secure Wired (Ethernet) Connections’.
    9. Type of network access server is ‘Unspecified’.
    10. Under Conditions, set ‘NAS Port Type’ to ‘Ethernet’, and ‘Windows Groups’ to ‘Domain Computers’ and ‘Domain Users’. Note that the ‘Windows Groups’ criteria should be a logical OR.
    11. Access permission is ‘Granted’.
    12. Add EAP Type ‘Microsoft: Protected EAP (PEAP). Verify the settings have a certificate association, ‘Enable Fast Reconnect’, and EAP subtype of ‘Secured password (EAP-MSCHAP v2).
    13. Leave the default ‘Less secure authentication methods’ as is.
    14. Do not configure any constraints
    15. Add the following Standard attributes (if you want to pass VLAN settings via the NPS server):
      1. Tunnel-Medium-Type: 802
      2. Tunnel-Preference: 1
      3. Tunnel-Pvt-Group-ID: <ID number or name of VLAN>
      4. Tunnel-Type: VLAN
    16. Set the newly created policy at Processing Order 1.
  3. SCCM configuration (If using Intel AMT, otherwise go to next section)
    1. In the Configuration Manager console, navigate to System CenterConfiguration Manager / Site Database / Site Management / <site code> – <site name> / Site Settings / Component Configuration.
    2. Right-click Out of Band Management, click Properties, and then click the 802.1X and Wireless tab.
    3. To configure 802.1X authentication for wired networks, select Enable 802.1X authentication for wired network access, and then click Set.
    4. In the Trusted Root Certificate for RADIUS Authentication dialog box, specify the trusted root certificate by selecting an enterprise CA from the forest. Ensure that From certification authority (CA) is selected, and select the CA from the drop-down list.
    5. Use the drop-down box to select PEAPv0/EAP-MSCHAPv2 as the client authentication method.
    6. Click Use client certificate to use a client certificate for authentication.
    7. Click Select, specify the Issuing CA to use for the client certificate and the RADIUS client certificate template ‘AMT 802.1X Client Authentication’, and then click OK.
    8. On ‘Out of Band Management Properties’ window, click OK.
  4. Group Policy
    CAUTION: DUE TO A BUG IN WINDOWS 2008 R2/WINDOWS 7, THIS GPO MUST BE CREATED ON A WINDOWS 2008 RTM MACHINE. OTHERWISE, THE GPO WILL NOT APPLY PROPERLY AND YOU WILL GET A CONNECTION FAILURE ERROR DUE TO ‘VALIDATE SERVER CERTIFICATE’ BEING ERRONEOUSLY CHECKED. See http://blogs.technet.com/b/asiasupp/archive/2010/11/03/validate-server-certificate-option-is-unexpected-to-check-in-wired-network-ieee-802-3-policies.aspx
    1. Create a new group policy
      1. Computer Configuration | Policies | Windows Settings | Security Settings | System Services. Define ‘Wired AutoConfig’ to Automatic with default security.
      2. Computer Configuration | Policies | Windows Settings | Security Settings | Wired Network (IEEE 802.3) Policies. Create a new wired network policy.
        1. Name the policy
        2. Ensure ‘Use Windows Wired Auto Config service for clients’ is checked.
        3. On the Security tab:
          1. ‘Enable use of IEEE 802.1X authentication for network access’ is checked.
          2. Network authentication method is ‘Microsoft: Protected EAP (PEAP)’.
          3. Click ‘Properties’:
            1. Uncheck ‘Validate server certificate’
            2. Authentication method is ‘Secured Password (EAP-MSCHAP v2)’.
            3. Click ‘Configure…’. Ensure Windows logon option is checked.
            4. ‘Enable Fast Reconnect’ is checked.
            5. Close ‘Protected EAP Properties’ window.
          4. Authentication Mode is ‘User re-authentication’.
          5. ‘Cache user information for subsequent connection to this network’ is checked.
          6. Click ‘Advanced…’:
            1. ‘Enable Single Sign On for the network’ is checked.
            2. ‘Allow additional dialogs to be displayed during Single Sign On’ is unchecked.
            3. Close ‘Advanced security settings’ window.
        4. Close policy properties window.
  5. Network Devices
    NOTE: This configuration assumes that RADIUS is already configured for on the switch for other uses (i.e. SSH logins). If not, you’ll need to create an association in the NPS server and input the server address and shared secret on the device configuration. Chuck Murison has a great blog on how to do this at: http://murison.wordpress.com/2010/11/11/cisco-radius-configuration-with-server-2008-r2/
    1. Enable RADIUS for 802.1X (at the global configuration prompt)
      1. aaa authentication dot1x default group radius
        This sets the device to use RADIUS for 802.1X authentication
      2. aaa authorization network default group radius
        This sets the device to use RADIUS to authorize users for specific access
      3. authentication mac-move permit
        This allows machines to be moved while a session is open (device closes old session)
      4. dot1x system-auth-control
        Globally turns on 802.1X authentication
    2. On a PER PORT basis, issue the following commands (a range command may be used to configure ports simultaneously):
      1. mab
        This allows for MAC authentication bypass (where required)
      2. authentication order dot1x mab
        This tells the network device to use 802.1X before MAB
      3. authentication priority dot1x mab
        This tells the network device to prioritize 802.1X before MAB
      4. dot1x pae authenticator
        This prevents the downline client from trying to be a supplicant
      5. authentication port-control auto
        This turns on 802.1X for the port.
      6. Port may need to be shut/no shut to force the client to authenticate.
    3. Follow-on actions
      1. Set the default VLAN for the port to something else (i.e. a guest or offline vlan). The VLAN is automatically switched to the operations VLAN once authenticated.
      2. Set a guest vlan for machines that are being imaged and not yet capable of 802.1X authentication. On the interface:
        dot1x guest-vlan <vlan-id>
      3. Device settings may need to be adjusted to prevent DHCP timeout prior to 802.1X timeout. The following settings were successfully used in the test lab:
        1. dot1x timeout quiet-period 3
          This setting is the idle time between failed authentication and the next attempt.
        2. dot1x timeout tx-period 5
          This setting is the idle time between transmissions.
About these ads

10 responses to “A sample 802.1X configuration guide

  1. osidc January 11, 2012 at 4:52 pm

    Where do you register the MAC addresses of the devices.
    In NPS i dont see the option to register the MAC addresses. Please advice

    • newmanth January 11, 2012 at 5:44 pm

      In my configuration, I don’t use MAC addresses. The RADIUS clients are defined via IP addresses (using a shared secret for security), and the Windows workstations all use PKI computer certificates for identity. The link I have to Chuck’s blog entry describes how to set these up in NPS. On Cisco gear, you can define MAC authentication bypass rules for machines that are not 802.1x compliant (link to Cisco details here). I think it MAY be possible to define NPS rules using MAC for workstation clients, but I have never tried (since MAC addresses are easy to spoof and are not secure).

      • osidc January 11, 2012 at 8:00 pm

        thank you for your reply. I will only use the option of MAB on printers, and other equipment which is not 802.1x compliant but needs network connectivity. This projects is starting tomorrow & will see how it goes. I will configure a guest-vlan & auth-fail vlan. The printers are they not going to be placed in the guest-vlan. We have a specific VLAN for printers.
        Lemie go to Chuck’s blog maybe i will get some answers.
        I give thumbs up to this blog

  2. reena_gill@hotmail.com January 26, 2012 at 6:55 pm

    Excellent information – thank you so much. I have been going through so much material online so far this is the most clear and concise document :) One quick question. Do I need to issue user certificates as well as computer certificates for 802.1x authentication? Right now I just have computer certificates issued.

    • newmanth January 26, 2012 at 8:36 pm

      Whether or not you use user certificates is up to you. They are not required for the configuration I described; it uses security groups and AD logins instead. The only case I can think of where you’ll want to use user certificates for 802.1x is if all of your users have smart cards.

      • reena_gill@hotmail.com January 26, 2012 at 8:45 pm

        Ok, problem is some of my clients are macs and linux workstations that are not domain bound – so I think I might need to use user certificates via web enrollment for them. Thanks!

  3. R February 16, 2012 at 5:03 am

    my issue is when I setup 802.1x on a client system.. and log off Windows 7.. I lose the port connectivity. So the PC can no longer be RDP’d too, sent windows updates, etc. Basically I can’t do anything until that user logs back in and authenticates the port.

    • newmanth February 16, 2012 at 3:18 pm

      It appears that your configuration is not allowing computer-only authentication (which you need to allow if you want connectivity while nobody is logged on). A couple of things you should check. First, make sure that your GPO wired network policy uses “User or Computer authentication” for its authentication mode. Second, make sure your network policy policy server has its policy configured so that the condition allows your users OR your computers (e.g Domain Users OR Domain Computers) as authorized groups.

      Hope this helps.

  4. Pandu E Poluan July 26, 2012 at 10:35 am

    Nice guide!

    What I am still wondering (not explicitly stated in your guide), is whether any changes (beside those being pushed/forced via GPO) is required on the Windows XP SP3 and/or Windows 7 clients.

    • newmanth July 26, 2012 at 2:06 pm

      I have a really hard time with configurations that require me to actually touch workstations, since a majority of the machines that we manage are more than a hundred miles away, so I don’t believe that any changes are required on the clients, other than the specified group policy settings. However, I vaugely remember there might be a bug in the group policy settings for Windows XP, where the certificate valiation selection doesn’t actually work.

      If you’re having a specific problem with your configuration, let me know and I’ll see if I can help you figure it out…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: